Unable to logout and login to a different account (on here)

[Dean_]

No idea when this changed, but now when I log out and go to log in with another account, I can't? There's no option to enter your email address now and it simply logs you back in.

[Morrigan]

You need to go to the client area and log out.

This site uses SSO from the client area part of the site.

[CoffeeCake]

That just sounds broken.

[Davyc]

Yeah, I've had this too on my own and client's sites - the only way to get out of it is to clear your cookies and browser cache.  No idea why it doesn't take you to the login fields like it used to, but it is a pain when you need to login with different details for whatever.  Does this in the ACP when you try to login to the marketplace and want to use a different account - I must do this as I manage a client's site for him - and it actually says login with a different account and it just logs you back in again as you lol.

[Dean_]

2 hours ago, Morrigan said:

This site uses SSO from the client area part of the site.

This is what I gathered was happening, I went to the forum account settings and looked there in case it was like the Twitter/Facebook linking, but of course it wasn't.

Thanks for clearing it up.

I just feel this another unnecessarily complicated way to do simple tasks, even more steps now to simply log out of an account.

Edited February 2, 2021 by Dean_

[CoffeeCake]

Oh that's interesting. So, if you've linked a social network account to your account you can't log out of an IPS community without logging out of your social network account as well?

[Jordan Miller]

Interesting someone brought this up. Because I use this Invision account now, I had trouble logging in when I was using my other account @breatheheavy

Wondering if this is happening to a lot more members. I know previously on my own forum it was frowned upon (actually against the rules) to have two accounts, but the times have changed. IG, FB, all allow you to switch accounts. If more people are interested in this I can bring it up to the team.

 

[CoffeeCake]

5 minutes ago, Jordan Invision said:

Wondering if this is happening to a lot more members.

I just tested it and can confirm. To replicate:

1. Click on your display name on the upper right (assuming on desktop), and click "Sign Out"
2. Verify you are now at the IPS homepage, and see "Existing user? Sign in"
3. Click the Existing User? Sign In link and choose "Sign in with Email"
4. You are now logged in. You typed no username, no e-mail, no password.

I think there's a basic expectation that when you click Sign Out, you will not be able to sign back in without providing a credential of some sort. I have no social network accounts linked to my account here.

I'd put this in the vulnerability category.

[Jordan Miller]

17 minutes ago, Paul E. said:

I just tested it and can confirm. To replicate:

1. Click on your display name on the upper right (assuming on desktop), and click "Sign Out"
2. Verify you are now at the IPS homepage, and see "Existing user? Sign in"
3. Click the Existing User? Sign In link and choose "Sign in with Email"
4. You are now logged in. You typed no username, no e-mail, no password.

I think there's a basic expectation that when you click Sign Out, you will not be able to sign back in without providing a credential of some sort. I have no social network accounts linked to my account here.

I'd put this in the vulnerability category.

It's super convenient with the SSO, but a little tricky if you need to switch accounts. I would imagine there's such a few amount of people that need to switch accounts that this might not be a top priority unless more people weigh in of course. 🙏 

No social media, @Paul E.?! What's that like 😂 I'm intrigued 

[CoffeeCake]

Ok, imagine I'm on a public computer, or am borrowing someone's computer, and need to log into IPS to update a support request. I log in, update my ticket, and then like a responsible person, click log out.

I then get on a train home, six hours away. No internet service, because it's like mountains and stuff. Meanwhile, someone else jumps on the machine I was using, goes to IPS, and clicks the sign in button, and without providing or knowing my username and password now has access to my IPS account, license, and identity.

This isn't a tricky or abnormal situation. Log out is not appropriately logging out here. I don't know if it's a problem with IPS in general and impacts other communities, or however the multiple communities under one domain situation IPS has rigged together here is setup, but this is not a good thing.

[Morrigan]

4 hours ago, Jordan Invision said:

Interesting someone brought this up. Because I use this Invision account now, I had trouble logging in when I was using my other account @breatheheavy

Wondering if this is happening to a lot more members. I know previously on my own forum it was frowned upon (actually against the rules) to have two accounts, but the times have changed. IG, FB, all allow you to switch accounts. If more people are interested in this I can bring it up to the team.

 

Ewww. I can see this if you are on social media and want a personal account and a brand but on a forum? No. The linked mod provided people in my community to have multiple account for characters prior to my character manager AND allowed for staff members to all be able to post as a staff account instead of individual accounts. This is important for some communities as they would prefer that end users not know who posted the moderator action. 

 

I may be amicable to a Brand account or similar sort of shared or separate account that allowed individuals can post using as long as their is a primary owner of said brand account and it’s logging tied into the new anonymous feature that is coming so you always know the actual account that performed an action.

issues then become permissions and a mess so... my 2 cents

[Dean_]

I also see this a security concern personally. When I log out, I've logged out for a reason and I expect to input my conditionals again and not be automatically logged in. Unless I've ticked 'remained signed in' I expect to be logged out.

[CoffeeCake]

Consider that IPS may have administrative and ssh credentials stored for your sites.

[bfarber]

While I don't believe there's a true security concern here (think of the situation like logging in to a third party site using Facebook...if you log out of that site you are not inherently logged out of Facebook too), I can appreciate the confusion and concerns raised in this topic and have brought the discussion up internally to take a look at. Thanks everyone!

[CoffeeCake]

How does one remove stored access information from the client area?

While your discussing, access to that information should require an additional auth check, similar to when accessing sensitive account info in account settings.